Choice Health/UHG Breach Creates HIPAA Headaches For Impacted Health Care Providers & Other HIPAA Covered Entities |

Choice Health/UHG Breach Creates HIPAA Headaches For Impacted Health Care Providers & Other HIPAA Covered Entities

With the ransomware cybersecurity incident experienced by UnitedHealthcare Group (“UHG”) and its subsidiary, Change Healthcare, continuing to disrupt patient care, billing other essential health care operations nationwide, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is warning health care providers, health plans, health care clearinghouses and their business associates (covered entities) impacted by the breach and resulting system disruptions to ensure their own fulfillment of the breach notification, risk assessment and other requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. While the CH/UHG Attack clearly raises concerns for covered entities using the Choice Health tools, the implications are not limited to those covered entities. The occurrence of the ransom attack and its broad sweeping effects also warrants, at least some documented consideration about ransom and other exposures for even those covered entities and their business associates who have not experienced disruptions from the CH/UHG attack. Consequently, health care providers and other HiPAA covered entities and business associates should consult with legal counsel for advice and help evaluating their resulting HIPAA security, breach notification and other obligations as soon as possible to mitigate their own HIPAA risks from the consequences of the attacks as soon as possible.

Change Healthcare Ransomware Attack

On February 21, 2024, a ransomware attack executed by the Blackcat1234 ransomware group took control of and shut down the payment, revenue cycle management and related tools and systems of UHG Subsidiary Change Healthcare. Well-known for stealing sensitive data and demanding ransom for not publishing it, and other public and private cybersecurity monitoring and tracking organizations have warned heath care and other system operators to guard against Blackcat1234 and related ransomware attack risks since at least 2022. See, e.g., #StopRansomware: ALPHV Blackcat | CISA.

The Choice Health shutdown resulting from the Blackcat1234 ransomware attack has created widespread disruptions to key care authorization, billing and other pharmacy, provider and other plan and provider transactions within health care and health benefit systems nationwide due to the widespread use of the Choice Health tools. Among other things:

Due to the widespread use of the Change Healthcare tools and systems as a financial clearinghouse for connecting pharmacy benefit managers, health care providers, and other key plays and health plans throughout the health care and health benefits industry, the attack has and continues to disrupt key billing, care-authorization, payment and other transactions between health care payers and pharmacies, physicians and other health care providers and health care payers and their partners across the health care industry. See, e.g.,

As UHG has worked to recover from the Choice Health attack, the resulting shutdown and disruption to electronic payment and medical claims systems incorporating the compromised Change Healthcare tools create various legal and operational headaches for many health plans and other health care payers by preventing or obstructing the submission and processing of health care claims and other transactions between health care providers and health plans. While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and other laws.

HIPAA Effects Beyond Choice Health

HIPAA requires health care providers and other covered entities and their business associates to protect the privacy and security of protected health information, to have and enforce HIPAA-compliant business associate agreements, to conduct timely documented risk assessments in response to known or foreseeable security threats, and to provide notice of a breach to OCR, affected individuals and for breaches affecting more than 500 individuals.

In its March 13, 2024 “Dear Colleague letter,” OCR confirms it is investigating the UHG breach and its fallout. While stating the investigation currently focuses on Change Health and UHC, it also signals probable “secondary” investigations of health care providers, health plans, and business associates “tied to or impacted by this attack” in the future.

OCR’s Letter warns health care providers, health plans and business associates “that have partnered with Change Healthcare and UHG” not to overlook their own potential HIPAA responsibilities and exposures. OCR’s letter warns these impacted covered entities to verify their fulfillment of their regulatory obligations and responsibilities, including ensuring that “business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.The Choice Health/UHG attack occurred just days after OCR announced the second of two HIPAA resolution agreements since October as well as published a series of other guidance warning covered entities and their business associates to guard against ransomware and other cybersecurity threats as part of their HIPAA obligations. See, e.g. OCR Nails Second HIPAA Covered For Allowing Ransomware Breach

The March 13 Letter highlights various the resources to assist covered entities in protecting records systems and patients from
cyberattacks including:

The OCR HIPAA Security Rule Guidance Material webpage;
OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks;
OCR Webinar on HIPAA Security Rule Risk Analysis Requirement;
HHS Security Risk Assessment Tool;
Factsheet: Ransomware and HIPAA;
Healthcare and Public Health (HPH) Cybersecurity Performance Goals; and
The HHS Breach Portal link at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf for reporting breaches.

In the face of the March 13 Letter and the continued heightened ransomware and other cyber security risk, all covered entities and business associates partnered with or impacted by the Choice Health/UHG breach or its resulting distributions specifically, as well as covered entities and business associates generally should work with experienced legal counsel to conduct documented risk assessments of their systems, exposures, responsibilities and risks taking into account these developments as soon as possible in anticipation of complaint or audit driven investigations arising from the Choice Health and other malware events and treats. The Choice Health/UHG and other known and evolving ransomware and other cyber attacks almost certainly warrant the need for those partnered or impacted by the breach to conduct documented, evaluations of the need to provide breach notification, as well as updated risk assessments. Moreover, given the widespread and continuing exposure to ransom and other cyber security risks referenced in the OCR and other reports, even those covered entities not partnered or impacted also need to conduct updated risk assessments based on the notifications of emerging risks, highlighted by that breach.

Along with updating risk assessments and resulting safeguards, covered entities, and business associates also clearly should ensure that they have up-to-date, business associate agreements and privacy practices policies.

Billing and Payment

While OCR prioritizes data security, most healthcare providers view, payment and billing disruptions as their biggest concerns.

Choice Healthcare’s shutdown its system to prevent further data breaches and destruction effectively cut off the ability of healthcare providers using or submitting claims or eligibility request through systems using Choice Health tools. The lockout denies providers the ability to submit claims, obtain verifications of benefits, and engage in other transactions, essential for healthcare providers to verify payment eligibility, much less submit, and get payment on claims. Along with the obvious disruptions of UHG insured or administered health plans, widespread use of Choice Health as the health care clearinghouse for the submission to abroad range of other insured and self insured plans has resulted in disruptions in these processes that extend to a wide range heath insurers and payers. Providers across the country already are complaining that the interruptions are creating financial crisis and providers across the nation.

The Centers for Medicare & Medicaid Services (CMS) has sought to facilitate the ability of providers to transition to other healthcare, clearing houses, and has approved special advanced payment procedures for Medicaid and Medicare to try to bridge the deadlock. See e.g., Change Healthcare/ Optum Payment Disruption (CHOPD) Accelerated and Advance Payments for Part A Providers and Part B Suppliers Frequently Asked Questions.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

This entry was posted on Wednesday, March 13th, 2024 at 11:05 pm and is filed under Health Care. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.